Patch system in need of a fix
I have just finished downloading the latest batch of updates and patches for my PC, which totaled more than 250 megabytes. It was part of what Alan Paller, research director of the SANS Institute, called 'the worst week of 2008: Two unpatched Microsoft zero-days, the big [Domain Name System] problem/patch, and remote code execution bugs in Novell eDirectory and Sun's JRE.'
The software industry in general has done an admirable job of responding to bugs and vulnerabilities in its products. A relatively efficient system has been developed that in many cases automatically delivers the fixes to your desktop PC. But 250M? That's a quarter of a gigabyte, just to correct mistakes on a single desktop PC.
I appreciate that the vendors are accepting responsibility for correcting their mistakes. However, I would appreciate it even more if they would stop making them ' or at least slow down. I am running Windows Vista, the first operating system to be produced under Microsoft's trustworthy computing initiative, yet the updates just keep coming.
Yes, I know that today's applications and operating systems are incredibly complex and that catching all possible flaws probably is impossible. I know the good guys have to try to find every possible vulnerability, while the bad guys only have to find one.
Still, every Patch Tuesday when the downloads start, I feel like one of the refugees in 'Casablanca,' who wait, and wait, and wait. I would love to get my hands on one of those letters of transit.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.